NIST: SMS two-factor is dead! If you're a US agency
- 27 July, 2016 09:27
Any service provider to the US government that relies on SMS for two-factor authentication may need to swap the method for something with fewer design weaknesses.
Despite known weaknesses in using SMS for multi-step authentication systems, it remains widely used in consumer applications because receiving a one-time code in an SMS is easier for people to understand than using a one-time code generator or the increasingly popular push notifications from a secure app.
But the ‘SMS is simple’ argument soon won’t cut it for authenticated access to applications provided by US government agencies, according to a new Digital Authentication Guideline from the US National Institute for Standards and Technology (NIST).
Anyone responsible for implementing new systems should use an alternative to SMS messages for authentication since text messages over public mobile networks can be “intercepted or redirected”, NIST noted.
NIST does set national guidelines for a range of technologies that are used outside of the government, however this particular document — SP 800-63B Authentication & Lifecycle Management — is one of three chapters to the general Digital Authentication Guideline, which is aimed at government agencies and says nothing of SMS as an authentication method in consumer services as it appears to have been taken.
To combat phone number spoofing, the NIST also outlines that if SMS is used as an out of band verification on a public mobile telephone network, “the verifier SHALL verify that the pre-registered telephone number being used is actually associated with a mobile network and not with a VoIP (or other software-based) service.”